Category Archives: For Business

Why Removing Admin Rights Closes Critical Vulnerabilities in Your Organization

First of all, let’s clear up any confusion the title might have brought on: this is not about removing admin rights forever, for everyone but yourself or anything like that. This is about making the removal of admin rights the default setting in your organizational network.

After making sure every employee but a few system administrators have a user profile instead of an admin one, the administrative rights should be managed by a case by case basis.

Since we recently launched our automated admin rights privilege management software, Thor AdminPrivilege™, I decided it would be the perfect time to dive in-depth into this topic.

Here is our best guide on how removing admin rights improves your security on all counts and how to be effective about it (regardless of whether you use our software or not).

What you can expect to find in the following guide:

  • Why free admin rights are dangerous (for both internal and external threats)
  • The vulnerabilities which get closed by removing admin rights
  • How risks are minimized by closing admin rights
  • Data and real-world examples
  • Best practices for minimizing risks derived from admin privileges

Ready? Let’s go!

Managing Admin Rights for Neutralizing Insider Threat

You may already be familiar with the concept of neutralizing insider threat by managing admin rights.

First of all, as a disclaimer, you should know that removing admin rights for regular users inside your organization doesn’t completely eliminate risks associated with insider threat. You can’t control for everything a user might be doing which is dangerous just by deescalating their administrative rights on their endpoint.

There are still plenty of risky things which an employee can do, both intentionally and unintentionally, even without admin privileges. These include:

  • Setting a weak password or a password they also use for other personal accounts;
  • Sharing their password with others, who might be targeting the employee for malicious purposes;
  • Clicking unsafe links from emails or the web;
  • Giving protected information to malicious third parties, because of a scam (like CEO fraud) or intentionally;
  • Snooping through the files on a colleague’s workstation when they leave it unattended (risky especially if the colleague has access to more sensitive data than they do);
  • Inserting an infected USB stick or external hard drive into a work station.

Still, removing admin rights by default is often a bare minimum for reducing insider threat considerably. While not a lot of people know that removing admin rights still doesn’t prevent all insider threat risks, almost everyone knows it’s a good thing to do, security-wise.

Here are just some of the risks derived from granting everyone admin privileges. As you’ll see, a user can do even more harm to your organization if they do have access to full administrative rights. Such things include:

  • Installing malicious apps like spyware or malware meant to steal money, data or disrupt activities;
  • Creating back-doors for third parties to install malicious apps or to hijack the systems;
  • Access or export sensitive data which can then be further mishandled;
  • Creating changes to lock legitimate users out of the systems;
  • Publishing misleading or embarrassing content in order to cause a PR crisis etc.

Of course, this doesn’t mean that the user would willingly do all of these things, but it’s something which hackers could accomplish by tricking a user with admin privileges. The trick could be accomplished by almost anything – a spam email, a USB stick which the hackers replaced with one of their own and so on.

So why then do some organizations still allow default administrative rights to their users? Because they are still succumbing to some dangerous myths about admin privileges:

  • Only employees who hate us could cause harm and we get along well with all employees;
  • We have anti-virus and a firewall installed so we’re fine, there’s no harm they could do;
  • If admins need to approve all requests they will lose a ton of time;

I have to admit that there may be a grain of truth in some of the myths above, but not in the way people who buy into these myths may think. For example, it does indeed help to have an anti-virus solution and firewall installed, but it’s not enough.

Also, it is true that admins lose a bit of time approving admin rights requests but that’s nothing compared to the risk they help avoid and, more importantly, the time waste can be completely avoided by using an admin rights management software (like our Thor AdminPrivilege™).

Managing Admin Rights for Neutralizing External Threat. Vulnerabilities Closed by Removing Admin Rights

Few people know this, but removing admin rights and granting them only upon request and within a specific time frame can help close external threats too. It’s not just about managing insider threat. It’s also about closing security gaps which are often found in common B2B software, operating systems and so on.

Such systemic vulnerabilities are often discovered and patched without a breach having to happen for security researchers to become aware of the threat. But other times, unfortunately, the vulnerabilities are discovered by hackers and exploited before they can be patched up.

So, what can you do to avoid your company becoming the next news-worthy example of a breach?

Removing admin privileges from your organization is the immediately effective, most powerful protective measure you can take.

Examples of data breaches done by hackers exploiting system vulnerabilities

Just to give you a better idea about the scope of the danger, here is what you should be aware of.

  • 63% of all data breaches come from weak or stolen passwords – if users didn’t have admin privileges, this would not be so dangerous;
  • 74% of all data breaches come from the abuse of accounts with admin privileges;
  • In a notoriously bad decision, Equifax used ‘admin’ as the username and password of a database, leading to a huge data breach;
  • Deloitte had a data breach in 2017 by having accounts with admin privileges compromised;
  • Facebook has been all over the news with scandals and data breaches and leaks derived from mishandling of admin rights;
  • Linksys routers leaked all historic records in May 2019 because that was their default admin setting;
  • Marriot had the financial data of over 400 million users stolen over a time window of 4 years – if unauthorized access was tracked better through admin rights management, the breach would have been discovered sooner;

I could go on, but I think you have a better picture now of what happens when administrative rights are mishandled. You can probably see news of data breaches pop up in the news all the time, but while you learn the tech details and methods used by hackers (DNS hijacking, a Trojan, good old malware, etc.), you rarely hear how it all began and how the hackers gained access in the first place: through abusing an account with administrative privileges.

Systemic vulnerabilities which can be closed by removing admin rights from users

Besides classic insider threat scenarios, there are also system vulnerabilities which can be easily abused from a fully-privileged account.

An analysis over Microsoft security revealed that the number of Microsoft vulnerabilities ranked as ‘critical’ is up and running, increasing by 29% over a period of 6 years (from 2013 to 2018). In 2018, there were over 700 vulnerabilities reported for various Windows OS versions.

Only 272 vulnerabilities are reported for 2019 at the time of me writing this article (June 2019), but it’s still a huge figure. This doesn’t mean that Microsoft products are bad or unsecure, on the contrary. But system vulnerabilities are inevitable in products with this kind of a user pool and with hackers working tirelessly to find loopholes in them.

Since risk is inevitable, the only way to mitigate it is to remove admin privileges for regular users and only grant them upon request and for a limited time frame.

Best Practices for Managing Admin Rights Securely

Here are a few best practices for managing your admin rights safely and in a most productive way for both your users and your system administrators.

#1. Nurture an environment of ‘least privileges’ possible

Important: Please note that we encourage you to create a security stance of ‘least privileges’, but not necessarily a company culture of ‘need to know basis’. Internal transparency makes employees see beyond their own little grid, understand the purpose of their individual tasks and contribute toward the end goals more effectively. So, except the cases where you are dealing with really sensitive info, don’t fall into the trap of creating a company culture based on secrecy or your overall productivity will drop.

#2. Automate the escalation and de-escalation of admin privileges

Automation is by far the most effective way to escalate and de-escalate admin privileges for all endpoint users within the organization, without occupying most of the sys admins time with these tasks.

A reliable admin rights management software (such as our Thor AdminPrivilege™) not only automated the process of requesting admin rights permission (from the user’s side) and granting or not granting them (from the admin’s side), but it also uses intelligence from our cybersecurity suite to flag down endpoints with suspicious activity and to make endpoint quarantine easier.

#3. Make sure administrators follow up on each case unless de-escalation is automated

If you’re going to stick to the manual work for escalating and deescalating admin rights, at least make sure that whenever admin rights privileges are granted to a user, the admins then follow up to deescalate the rights shortly.

The recommended time window is 5 to 15 minutes since that’s enough for the user to install whatever software they need. We also recommend that the system administrator oversees exactly the software that will be installed, because since the admin rights management is not automated there is the risk of unwittingly installing a corrupted file.

#4. Make sure there are procedures in store for endpoint quarantine

What happens if an account gets breached by insider threat? Can you ensure that there’s no way that account can perform any actions which could have consequences for the security of your company?

Make sure your internal policy and technical safety measures allow your system admins to deescalate any privileges fast and further quarantine the compromised endpoint. Of course, an automated admin rights management software can do that faster and more effectively, but it’s not impossible to be done manually either.

#5. Make sure the super-user accounts are also secured

By super-user accounts I mean the accounts of system administrators who have the privileges to install any software, access any data, escalate or de-escalate the admin rights of other users and so on.

While it’s important to have one or more system administrators to manage the rights of the other users in the organization securely, you must set in place procedures for securing their accounts as well. In the event that one of the admins has their own account hacked, how well will your organization be able to handle the crisis?

The best way to go about it is to talk with your CTO and sys-admins about establishing a crisis management procedure especially for this kind of scenario. Include priorities such as making the activity of system admins transparent for other system admins, allowing the system to trace back their steps (leave breadcrumbs) for accountability, preventing administrative tasks from being done remotely, and allowing the other admins to de-escalate the compromised admin account fast in case of a breach.

Wrapping it up

If you’re currently offering admin privileges to all users or some users within your organization, go review the status of these rights ASAP. Create a map of user admin privileges and a procedure for granting them. Removing admin rights by default is the bare minimum you need to do to secure your organization from critical vulnerabilities related to insider threat.

Use a specialized software for managing admin rights securely, like our Thor AdminPrivilege™. Be vigilant: while trusting your employees, limit the damage that a hacker could do if they breach an employee account.

Have more than one admin account and allow admins to contain the damage if one of the super-user accounts gets compromised. Stay up to date with the latest threats and practices (for example, by checking back here and reading our blog). Make sure the rest of your cybersecurity system is ready for any challenge by setting up a multi-layered approach.

Removing admin privileges is but a first step to getting more secure, but it’s an essential one. As long as you do it ASAP and create a coherent internal policy for admin rights escalation, you’re definitely on the right track!

The post Why Removing Admin Rights Closes Critical Vulnerabilities in Your Organization appeared first on Heimdal Security Blog.

What Automation Means for Your Business’ Security

Businesses across the country are being won over by the many productivity and efficiency benefits offered by automation. A study from ReportLinker estimates the digital process automation market is expected to grow to $12.61 billion by 2023, a compound annual growth rate of 13.13 percent. From manufacturing to marketing, many types of businesses have found ways to integrate automation into their daily operations. Companies like Oracle, who recently increased automation levels for apps in its sales suite, are finding new ways to offer automation tools to various types of professionals.

Workforces are seeking to embrace more digitized tools, processes, and practices in hopes to improve operations and help their employees become as productive and efficient as possible. Whether it be in the form of document sharing platforms, instant messaging apps, or self-driving cars, there’s one thing for sure: automation will play a critical role in this transition. As Dhruv Asher, UiPath’s senior vice president of business development and product alliances, tells Investors’ Business Daily, “Robotic Process Automation is a cornerstone for digital transformation. If you talk to any [chief information officer] they’re looking to create a modern workforce for a digital economy, to go through a digital transformation.”

But as automation tools gain popularity with business professionals, what impact will they have on business security? Here are four security concerns to keep in mind when implementing automation tools in your business.

Beware the automation-savvy hacker

Just like businesses, governments, and other organizations have begun to index data and automate processes, so have malicious hackers. Though hacking used to involve more hands-on technical competencies, automated “hacking tools” have evolved in sophistication and scope, making it much simpler for hackers to break into even complex systems. Port scanners and password crackers are examples of tools that automate simple, repetitive processes exponentially faster than humans. Organizations of all sizes must find and implement strategies to resist these automated tasks because automatically finding vulnerabilities is now much simpler for hackers.

Misconfigured, outdated, or unpatched software can enable successful external cyber attacks. Businesses must learn to be proactive in their patch management and should consistently monitor systems for any vulnerabilities that would leave them susceptible to hackers. Organizations looking to defend against external threats should consider how the daily work of the IT department impacts overall data security.

Limit password sharing for automation tools

Some of the most popular tools for business automation are those that can automatically pay monthly bills. They’re extremely beneficial for businesses; forgetting to pay a bill can otherwise negatively impact a company’s access to lines of credit. Many companies use these tools to deduct the necessary amounts each month, often on a specific day. However, a business should restrict permissions to those accounts and assign multiple personnel to monitor transactions. There is always a possibility for insider threats, whether intentional or unintentional, so businesses should have proper checks and balances in place. Because automated bill-pay systems are often monitored less than those that have to be completed manually, malicious insiders and outsiders can easily wreak havoc on the system. They can change payment schedules, delete payment methods, or withdraw large sums of money, all of which can negatively impact a business’s finances.

Don’t ignore update notifications

Many automation tools display pop-up messages when new software updates are available. These messages can be easy to ignore. You might be in the middle of a project, important email, or just in the depths of the workday, and can’t take the time to reboot the system or your device right at that moment. You’re not alone; A Google study from 2015 found that just 38 percent of regular software users update their programs automatically or immediately upon being notified a new version is available.

However, it’s important for users to update their software as soon as possible. Sometimes the updates only encompass new features, but, more often than not, they also address bugs that could compromise security. It’s best for businesses to check for software updates on a schedule, whether it be weekly, bi-weekly, or setting a particular day each month. For example, Microsoft introduced Patch Tuesday in 2003, which is the unofficial name for their scheduled release of security fixes on the second Tuesday of each month. If you’re concerned regular updates will disrupt your workday, try to schedule maintenance outside your regular work hours or during other periods of downtime, such as your lunch hour.

Use automation for security too

Let’s face it: many security professionals aren’t the biggest fans of automation, especially when it’s applied to their everyday processes. Putting machines in control of things like provisioning, data access, backup, and a host of other functions can add more risk to an already risky environment. Though an automated organization does pose new security challenges, the fact is the same tools being used to augment other departments, like marketing or inventory management, can also be applied to security.

For example, according to the FireMon 2018 State of the Firewall report, which surveyed more than 300 security professionals, nearly 40 percent of respondents indicated the IT/cloud team or the application owner is responsible for network security in the cloud. Nearly one-fifth of respondents did not know who was responsible. This research indicates that people outside the security department are often responsible for cloud security. This is where automation can play an important role. Tasks in the change-management process, such as planning, risk assessment, and compliance testing, can all be automated, which improves workflows for these security professionals.

Although automation can be a tremendous help to businesses, it can also pose risks if it’s misused, neglected, or not sufficiently monitored. If you’re one of the many businesses looking to incorporate automation into its operations, be sure to effectively monitor security and restructure your security policies on a regular basis. Staying aware of the security concerns listed in this article will help businesses of all sizes and in all industries ensure they implement processes to use automation tools safely and effectively.

This article was written by guest author Marie Johnson.

About the author:

Contributor to Enlightened Digital, UX Designer and technology writer from New York City. If I’m not writing my latest blog post in my kitchen, you’ll likely find me strolling through Central Park, cappuccino in hand.

The post What Automation Means for Your Business’ Security appeared first on Heimdal Security Blog.